TRENDING

CyberRX preps health care community for cyberattack

By William Jackson

Jul 01, 2014

The Department of Health and Human Services has been working for several years with the Health Information Trust Alliance (HITRUST), an industry organization, to share information on security threats. In April they conducted the CyberRX exercise to assess how far they have come in improving the security posture of the health care community.

CyberRX was designed to evaluate the response and preparedness of organizations threatened by attacks and attempts to disrupt U.S. health care operations. The exercise was a full-day interactive simulation of attack scenarios targeting medical devices, health information systems, health exchanges and HealthCare.gov

The initial exercise was modest, given the size of the industry; just 10 private sector organizations along with HITRUST and HHS. But it produced worthwhile lessons on the value of practice and communications to cybersecurity, said HITRUST CEO Daniel Nutkis.

“The first lesson was pretty clear,” he said. “There is no substitute for testing your processes in a real world scenario.” All of the participants said they benefitted from the exercise, and the goal is to bring more organizations in on future events. “Everybody got better; nobody wasted their time.”

In fact, the recent “Heartbleed” vulnerability in the popular OpenSSL cryptographic software library presented a valuable real world test of the benefits of these exercises. More than one CyberRX exercise participant has indicated it learned lessons from the CyberRX exercise to react quickly and more effectively address the issues.

The second lesson was that organizations need to collaborate and share information about threats and their experiences, Nutkis said. “Nobody can do it on their own.”

Through their collaboration, HITRUST and HHS are fostering an environment in which cybersecurity information can be shared across the industry and with government. Is it good enough? “Absolutely not,” Nutkis said. “We have made strides,” but more than 99 percent of the health care community did not participate in the initial CyberRX exercise. “We need to bring more in.”

There likely will be more participating in a second exercise, tentatively planned for late this summer. So far, more than 500 organizations have asked to participate. Accommodating that number of participants probably will require a tiered structure in which organizations go through progressively more complex scenarios, passing one set of challenges before moving on to the next.